There was a simpler time. A time where the GOTO approach to solving Cybersecurity challenges, was buying tools and security products. Organizations rushed (and still do) to throw serious coin at products that touted the ability to fix all the ills plaguing the enterprise, and then some.
This may have felt like a strong strategy. It wasn't. Even for back in the day, it still fell woefully short of a holistic approach to security for the enterprise. Then, change came. That change has taken us all by storm. I am talking about:
1. The Cloud
7. <Insert new thing here>
With this massive shift in the IT Organization, there came a need and desperate realization that this new wave of challenges cannot possibly be fulfilled only by innovative products, but by trained and competent professionals who work for your team, addressing the challenges thrown by these new changes in the world of IT.
This has created a reasonably acute "skills shortage" in the world of Information Security. A shortage that seems to have been felt by nearly 74% of respondents of a survey by the Information Systems Security Association (ISSA) and the Enterprise Security Group (ESG). According to this survey
> 41% of respondents claim that the cybersecurity skills shortage has resulted in having to recruit and train junior employees rather than hiring experienced cybersecurity professionals
> 47% of respondents claim that the cybersecurity skills shortage has resulted in an inability to fully learn or utilize some security technologies to their full potential.
All of these indicators point to one single unequivocal truth
> Security is the #1 Bottleneck IT initiatives
Another clear indicator of this trend is that your organization needs training. Probably a lot of it. But what kind? Isn't existing training enough?
We at we45 have been running technical security training programs for over 7 years. Our trainings have evolved immensely since we started our first Application Security class for Developers in 2012. Ever since then we have trained for some of the most elite Fortune 1000 companies, as well as at prestigious industry events like BlackHat, DEF CON, OWASP AppSec, CodeBlue and so forth. In addition, we have trained on a variety of cutting-edge topics like DevSecOps, Container Security, Kubernetes Security, Serverless Security to name a few.
Based on our insight, we believe that these are some of the ways in which needs from security training have evolved:
Get your hands dirty
Security Training is really all about understanding and implementing practical concepts and techniques. So, any security training that focuses on largely theoretical concepts is likely to not only be ineffective, but probably even counter-productive. We've seen that folks really appreciate the nearly 75% hands-on, practical style of our classes that emerge from real-world implementations and real-world scenarios. We need hundreds of hours of time and careful effort in crafting hands-on labs for our training (both offensive and defensive) that folks not only enjoy, but learn boatloads from. Be it lateral movement on AWS or a Kubernetes exploit. Training needs to be hardcore and hands-on from the get go.
There was a time when popular trainings would be run on Virtual Machines (VMs). Instructors would handover USBs, links with large VM images that would need to be downloaded and run by participants for the labs. Till recently, even we have worked with Virtual Machines for several of our trainings. However, topics like Kubernetes, Containers, DevSecOps and Serverless, we've seen that VMs don't really mirror real-world implementations. In addition, VMs cannot possibly run massive stacks required for Kubernetes deployments or host a complete Serverless infrastructure.
This is why we moved all our hands-on labs to the cloud. Leveraging the power of the cloud, we've seen that participants not only get a great training experience, but are able to mirror real-world implementations of technical security subjects they would otherwise see at their workplaces.
Flow is a critical requirement for any training. There needs to be a certain progression of events that lead to an effective training being executed. Topics, Theory and Labs need to be interspersed to provide an optimum experience for the trainee. One of the key areas we focus on at we45's trainings is the flow. We agonize over the every last detail of the progression and flow of topics across the training, to ensure that the participant feels not only confident of the subject matter, but also confident that she can use it for practical use-cases immediately after the training
Not everyone learns at the same pace. Often we see folks who are very quick and adept in class. But we also see several folks who may find it tough to work through the labs in class, but are determined to work through the labs, at their own pace. This is why we provide a detailed set of lab manuals or instructions for folks to work through the labs at their own pace at home or at their workplace for posterity. Not only do they have the instructions, but we also make all the code and examples from the labs available to them for them to work through at their own pace.